Skip to content

Commit

Permalink
Packetbeat: add support for EDNS/DNSSEC (#1292)
Browse files Browse the repository at this point in the history
* Add EDNS OPT meta-RR information in `dns.opt` field
* Document EDNS fields
* Do some EDNS checks (UDP packet size, OPT RR present in request and response)
* Update vendor miekg/dns (EDNS fix)
* Add DNSSEC RRs
* Add new tests: begin `names_test.go` for RRs specific tests
* Refactor rrToMapStr/rrToString to use only one switch case
* Instantiate a logp.MakeDebug and use it throughout the dns package
  • Loading branch information
McStork authored and andrewkroh committed Apr 20, 2016
1 parent 57477cf commit 349cf64
Show file tree
Hide file tree
Showing 44 changed files with 1,253 additions and 339 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,7 @@ https://github.com/elastic/beats/compare/v1.2.0...5.0.0-alpha1[View commits]
- Change the DNS library used throughout the dns package to github.com/miekg/dns. {pull}803[803]
- Add support for NFS v3 and v4. {pull}1231[1231]
- Add support for EDNS and DNSSEC. {pull}1292[1292]
*Topbeat*
Expand Down
2 changes: 1 addition & 1 deletion glide.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ import:
- package: github.com/go-ole/go-ole
version: v1.2.0
- package: github.com/miekg/dns
version: 85b661b2a6fc95a5a83e66d7730c4bc0b6e9c99e
version: c9d1302d540edfb97d9ecbfe90b4fb515088630b
- package: github.com/Shopify/sarama
version: v1.8.0
- package: github.com/klauspost/crc32
Expand Down
24 changes: 24 additions & 0 deletions packetbeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -638,6 +638,30 @@ The time interval in seconds that this resource record may be cached before it s
The data describing the resource. The meaning of this data depends on the type and class of the resource record.


==== dns.opt.version

example: 0

The EDNS version.

==== dns.opt.do

type: bool

If set, the transaction uses DNSSEC.

==== dns.opt.ext_rcode

example: BADVERS

Extended response code field.

==== dns.opt.udp_size

type: int

Requestor's UDP payload size (in bytes).

=== amqp Fields

AMQP specific event fields.
Expand Down
16 changes: 16 additions & 0 deletions packetbeat/etc/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -644,6 +644,22 @@ trans_event:
The data describing the resource. The meaning of this data depends
on the type and class of the resource record.
- name: opt.version
description: The EDNS version.
example: "0"

- name: opt.do
type: bool
description: If set, the transaction uses DNSSEC.

- name: opt.ext_rcode
description: Extended response code field.
example: "BADVERS"

- name: opt.udp_size
type: int
description: Requestor's UDP payload size (in bytes).

- name: amqp
type: group
description: AMQP specific event fields.
Expand Down
2 changes: 0 additions & 2 deletions packetbeat/protos/dns/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,6 @@ When response error Notes are linked to the previous request, the transaction is

**General**
* Publish an event with Notes when a Query or a lone Response cannot be decoded.
* Add EDNS and DNSSEC support (consider using miekg/dns instead
of gopacket).
* Consider adding ICMP support to
- correlate ICMP type 3, code 4 (datagram too big) with DNS messages,
- correlate ICMP type 3, code 13 (administratively prohibited) or
Expand Down
Loading

0 comments on commit 349cf64

Please sign in to comment.